Re: SMS protection

[Marcel Tudorache <marceltudorache () yahoo com>]

Hi Nick,

Thank you for your answer.
It would be interesting to know why do you think that it couldn't be used for online banking?

What I like about the SMSes as compared to the cryptografic tokens, is that you can receive the transaction details on 
your GSM which should be safer than via the email, and this prevents the phising, MIB type of attacks.

My security solution involves as well two different persons that have to sign one transaction. Also the transaction 
details are sent to the SMS of each one of them together with the security code.

Would the fact that two persons need to sign a transaction make it more difficult to be hacked?

Best regards,
Marcel

----- Original Message -----
From: Nick Owen <nowen () wikidsystems com>
To: Marcel Tudorache <marceltudorache () yahoo com>
Cc: "webappsec () securityfocus com" <webappsec () securityfocus com>
Sent: Tuesday, October 25, 2011 4:16 PM
Subject: Re: SMS protection

On Fri, Oct 21, 2011 at 1:57 PM, Marcel Tudorache
<marceltudorache () yahoo com> wrote:
> Hi,
>
>
> I was wondering how secure is an SMS to be used as authentication/transaction signing means for an application 
> similar with online banking.
>
> To make the analysis more targeted the following assumptions are made:
> - I understand that the new smartphones can get viruses, but I would like to analyse the simple case where we assume 
> that the user does his due dilligence and either does not navigate on the internet or navigates on limited number of 
> trusted websites, so the assumption is that the user does not have an trojan/malware/virus on the smartphone.
> -bluetooth is off
> - Wifi off...
> - the attacker does not have phisycal access to the mobile phone
>
> I think that the SIM card is pretty difficult to be hacked, from my smart card experience(limited), I would assume 
> that before allowing the access to the network of a cloned SIM card the operator might validate some signature of the 
> sim-card (I guess that when the operator issues SIM cards they sign them with their private key... or a similar 
> process).
>
> The question is merely about the intrinsic security of receiving an SMS, and how easy would be for an attacker to 
> read the SMS of somebody else taking into account the above assumptions.
>
> I think it should be pretty secure, what do you think?

Marcel:

I think SMS is slightly more secure than sending an email.  There is
no guarantee that the SMS is send encrypted over the carriers'
platforms. In fact, they have little incentive to add encryption. If I
were an attacker, I would be very interested in getting control of an
SMS server.

Carriers also have a big disincentive to securing accounts.  If they
make their password recovery systems too hard, they will get slammed
with help desk calls.  Please see
http://consumerist.com/2008/04/flawed-security-lets-sprint-accounts-get-easily-hijacked.html
for an example of this.

Further, there are the Nokia phones that can be programmed to imitate
any phone  http://www.pcworld.com/businesscenter/article/163409/criminals_pay_top_money_for_hackable_nokia_phone.html.
There may not be many of these out there, but it is also a PoC for
other attacks.

My belief is that you need to control the encryption.  Still SMS-based
systems are better than static passwords in most instances - but not
online banking.

HTH,

Nick

-- 
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------